Google and Apple users under government surveillance, NFT vulnerability and other cybersecurity developments

We have gathered the week’s most important cybersecurity news.

NFT collections on OpenSea and Coinbase were at risk due to a vulnerability in an open-source library

Developers of the Web3-platform Thirdweb discovered a vulnerability in an unnamed open-source library that could affect the security of many smart contracts and NFT collections.

IMPORTANT

On November 20th, 2023 6pm PST, we became aware of a security vulnerability in a commonly used open-source library in the web3 industry.

This impacts a variety of smart contracts across the web3 ecosystem, including some of thirdweb’s pre-built smart contracts.…

— thirdweb (@thirdweb) December 5, 2023

Although the vulnerability has not yet been exploited by attackers, it could cause significant damage if not fixed. The full list of affected smart contracts is available at the link.

Thirdweb discovered the issue on November 20 and notified the teams maintaining the open-source library. Details of the exploit were not disclosed to users for safety.

Experts offered to help fix the issue and recommended the tool revoke.cash to revoke permissions on the affected smart contracts created before November 22, 19:00 PST (November 23 05:00 Kyiv/06:00 Moscow).

Thirdweb also raised the bug bounty from $25,000 to $50,000 and tightened the auditing process. In addition, the company pledged to cover the gas costs for fixing the contracts.

Major NFT marketplaces reacted. Coinbase said the vulnerability affected some of its collections created with Thirdweb, though customer funds on the exchange remained safe.

1/ The Coinbase team was informed at 9p PT on Fri 12/1 by @thirdweb of a security vulnerability in a common open-source library, impacting some NFT collections on Coinbase NFT created with thirdweb.

There has been no breach of the Coinbase platform. Customer funds remain secure. https://t.co/elRGxjysif

— Coinbase NFT ?️? (@Coinbase_NFT) December 5, 2023

OpenSea, OpenZeppelin and Animoca Brands’ Mocaverse are also working with Thirdweb to reduce risks and help users.

Google and Apple admit to aiding government surveillance worldwide

The office of U.S. Senator Ron Wyden, in the course of an investigation, confirmed that governments around the world request information from Google and Apple about push notifications used to surveil users.

Such messages pass through Google Firebase Cloud Messaging and Apple Push Notification Service, but the companies act as intermediaries in transmitting metadata.

With their help, an interested party can obtain information about apps in use, other participants in conversations, and potentially the device owner’s location.

Google and Apple have already confirmed that this form of cooperation was prohibited from disclosure by government instruction, and therefore it was not disclosed in annual “Transparency” reports.

The senator’s office initially received information about this from an external source. It is unclear how long such data collection was in use.

Wyden has now asked the U.S. Department of Justice to permit tech companies to inform users about this program.

Britain and the United States imposed sanctions on FSB-linked hackers

Authorities in the United Kingdom and the United States imposed sanctions on two members of the Callisto hacking group, run by the FSB’s Information Security Center — Ruslan Peretyatko and Andrey Korinets.

According to court findings, Russians have conducted a series of phishing attacks on organizations worldwide since 2015 to steal confidential data.

Specifically, the National Cyber Security Centre (NCSC) linked Callisto to the leakage of trade papers between the UK and US, the 2018 hacking of the British analytical center Institute for Statecraft, and the cyberattack on the Statecraft founder Christopher Donnelly.

Both hackers are wanted. U.S. authorities are offering up to $10 million for information on their whereabouts.

Video and photo editors being used to attack Mac users

Kaspersky researchers have identified at least 35 programs for data recovery, network scanning and image editing used in attacks on macOS devices.

Our researchers uncovered a new proxy trojan that hides in hacked macOS applications. How it works and what it means for you, see our new post: https://t.co/3xpNR0l4Je pic.twitter.com/9xLkRRyqhO

— Kaspersky (@Kaspersky_ru) December 1, 2023

The Trojan turns devices into terminals for traffic redirection to anonymize illicit activity, hacking and phishing.

Among the most popular infected programs:

• 4K Video Downloader Pro;
• Aissessoft Mac Data Recovery;
• Aiseesoft Mac Video Converter Ultimate;
• AnyMP4 Android Data Recovery for Mac;
• Downie 4;
• FonePaw Data Recovery;
• Sketch;
• Wondershare UniConverter 13;
• SQLPro Studio;
• Artstudio Pro.

Unlike legitimate software distributed as disk images, malicious versions are downloaded as PKG files, which are processed by a dedicated Installer utility.

Researchers also found several samples of similar proxy trojan created for Android and Windows.

North Korea hackers attacked South Korea’s air defence systems and stole $360,000 in cryptocurrency

The Seoul Metropolitan Police Agency, together with the U.S. FBI, is investigating breaches of 14 organizations carried out by the North Korean hacking group Andariel, according to local media.

The incident affected major players in telecoms, information security and IT, technology centers, universities and research institutes, pharmaceutical companies, defense contractors and financial institutions.

South Korean authorities said data on laser weaponry used to operate the national air defense system was stolen.

Andariel carried out three attacks using ransomware, resulting in cryptocurrency theft worth 470 million won (more than $360,000). Some of the funds were confiscated by authorities.

South Korea’s intelligence agencies regard the intrusions as part of a broader campaign that, in total, led to the leakage of more than 1.2 TB of data.

23andMe confirms genetic data leak affecting 6.9 million users

The genetic testing company 23andMe reported that hackers gained access to personal data of about 14,000 individuals, representing 0.1% of its total client base, as well as a “substantial amount” of ancestry files for other users.

The cyber incident occurred in October. In a new statement to TechCrunch, 23andMe representatives clarified that overall this involves 6.9 million people who had agreed to automatically share data through the “DNA Relatives” and “Family Tree” features.

The disclosed information included:

• the person’s name;
• year of birth;
• relationship marks;
• percentage of shared DNA with relatives;
• ancestry reports;
• location.

According to 23andMe, the hackers gained access to victims’ accounts using well-known passwords exposed in breaches at other companies.

The attackers attempted to sell the obtained data for between $1 and $10 per profile.

The total client base at 23andMe is 14 million. To hinder potential litigation, the company updated its Terms of Service, including a clause mandating arbitration for disputes.

Russia imposes hefty penalties for improper biometric data processing

On December 5, the Russian State Duma, in third reading, adopted a law tightening administrative responsibility for illegal processing of personal data or processing without a written consent of the person.

The document sets fines: for citizens — 10,000 to 15,000 rubles, for officials — 100,000 to 300,000 rubles, for legal entities — 300,000 to 700,000 rubles.

For repeat offenses the amounts rise: for citizens — 15,000 to 30,000 rubles, for officials — 300,000 to 500,000 rubles, for individual entrepreneurs — 500,000 to 1 million rubles, for legal entities — 1 million to 1.5 million rubles.

The law also introduces a new COAP article on violations in placing personal data in the Unified Biometric System. Officials face fines from 100,000 to 300,000 rubles, legal entities from 500,000 to 1 million rubles.

Roskomnadzor explained the need for higher biometric protection, citing that a person cannot change it like a regular password online.

Also on ForkLog:

• The TON blockchain experienced a glitch after the launch of an Ordinals analogue.
• In Kazakhstan the number of closed illegal Bitcoin exchanges was tallied.
• Founder of Bitzlato admitted laundering $700 million and agreed to close the company.
• Bitcoin exchange ATAIX Eurasia will discontinue servicing Russians.
• A U.S. court pointed to misrepresentation of information by the SEC in the DEBT Box case.
• The court dropped charges against the Platypus Finance hacker.
• Circle unveiled solutions for reversibility of blockchain transactions.
• KyberSwap pledged compensation to victims of the breach totaling $48 million.
• Report: over six years, North Korean hackers stole $3 billion in cryptocurrency.

What to read this weekend?

We examine the advantages and drawbacks of the InterPlanetary File System IPFS for decentralized storage and data sharing.